Edge protection w/ endpoint

fsck · December 05, 2018, 12:26:47 PM

We have a Meraki MX100 running w/ Advanced Security licensing. This licensing has AMP/anti-malware protection and Anti-virus/anti-phishing. I was thinking to also add endpoint protection for users, an actual client install. Do you guys think this is excessive? Since I have protection at the edge, the endpoint piece isn't needed?

I came across Carbon Black and Cylance, and was impressed with the way they handle threats and monitoring. I figured if I had the budget, might as well use it and get even better protection.

deanwebb · December 05, 2018, 12:42:48 PM

You want multiple layers for security. Endpoint protection is a necessity.

fsck · December 05, 2018, 06:15:12 PM

And that's what I was thinking and kind of felt was the way to go. I just needed to voice it out. Thanks deanwebb!!

Do you have any preferences for endpoint security? Have you used either Carbon Black or Cylance?

Dieselboy · December 06, 2018, 12:28:51 AM

The meraki edge device cannot look into HTTPS or encrypted sessions so if they contain malware; they are allowed to pass on to the endpoint. You need endpoint protection in addition to be able to stop things such as this on the endpoint itself.

deanwebb · December 06, 2018, 03:09:32 PM

Quote from: fsck on December 05, 2018, 06:15:12 PM
And that's what I was thinking and kind of felt was the way to go. I just needed to voice it out. Thanks deanwebb!!

Do you have any preferences for endpoint security? Have you used either Carbon Black or Cylance?

I was talking with a guy about that last night. He did a bake-off between Crowdstrike, Carbon Black, and Cylance. Crowdstrike did the best job of identifying the malware and what it was trying to do, both Crowdstrike and Cylance stopped his custom malware in all use cases attempted. Cylance also involves whitelisting stuff, so it's very aggressive in blocking stuff, which was too much for his liking.

Dieselboy · December 07, 2018, 02:50:57 AM

I use Cisco AMP. Do you know how that fairs up to those products, Dean?

deanwebb · December 07, 2018, 07:02:54 AM

Quote from: Dieselboy on December 07, 2018, 02:50:57 AM
I use Cisco AMP. Do you know how that fairs up to those products, Dean?

He wasn't impressed with them because of the way the firewall module competed for resources with the firewall in a way that could brick the firewall.

Dieselboy · December 09, 2018, 07:47:43 PM

Was that solely FTD or ASA as well?

Although the Cisco AMP I am referring to is the software install on Windows / Mac / iOS / Android.

deanwebb · December 10, 2018, 10:01:27 AM

This was on the ASA.

As for the AMP client, I've actually used CounterACT to deploy it in an incident response. That was some vendor cooperation, I tell you what!

Did not get to see it in a PoC, though.